Using the CTL Client

The Cisco CTL client software, available as a plug-in application on Cisco CallManager Administration, is used to create or update the Certificate Trust List (CTL). The CTL is a list of the trusted certificates in the CallManager cluster. When the list is accurate, the Cisco CTL client will ensure that the CTL is signed by the keys of the Cisco CTL client. These keys are stored on an external Universal Serial Bus (USB) devicethe security token. When the CTL needs to be signed, the Cisco CTL client passes the CTL to the security token, and the security token signs it and then returns the signed CTL to the Cisco CTL client application. The Cisco CTL client is needed in these situations:

  • For the initial activation of security in your cluster
  • For the deactivation or reactivation of security in your cluster
  • After modifying Cisco CallManager or Cisco TFTP server configuration (which includes adding, removing, renaming, or restoring a server or changing the IP address or hostname of a server)
  • After adding or removing a security token (due to theft or loss)
  • After replacing or restoring a Cisco CallManager or Cisco TFTP server

In all the situations listed, the Cisco CTL client creates a new CTL and signs it by using a security token. The Cisco IP Phones load the new CTL and are then aware of the changes to the IP telephony system. Any changes that are not reflected in the CTL (for instance, if you change the IP address of a server but do not create a new CTL using the Cisco CTL client application) cause the Cisco IP Phones to treat the corresponding device as untrusted. From this perspective, the CTL can be seen as the certificate root store of your browser (listing all trusted certificate-issuing entities). If any device that was previously trusted is not trustworthy anymore (for instance, when a security token is lost), there is no need for a certificate revocation list (CRL). Instead, you will use the Cisco CTL client and update the CRL by removing the untrusted entry (for instance, a lost security token) from the list.

Installing the CTL Client

The Cisco CTL client application can be installed on any PC running Microsoft Windows 2000 or XP Workstation or Microsoft Windows 2000 or 2003 Server, as long as the PC has at least one Universal Serial Bus (USB) port. This device can be any Cisco CallManager server in your cluster or any client PC.

The Cisco CTL client application is installed from the Cisco CallManager Administration Install Plugins window. You can accomplish the installation just by walking through a simple wizard, as shown in Figure 27-2. During installation, you are prompted for the destination folder; you can set any directory of your choice or simply accept the default.

Figure 27-2. Installing the CTL Client

The Smart Card service has to be activated on the PC. To activate the Smart Card service under Microsoft Windows 2000, choose Start > Settings > Control Panel > Administrative Tools > Services to launch the Microsoft services administration tool. Then use the tool to verify the status of the Smart Card service. The service should have the startup type of Automatic and the Current Status should be Running.

After you have installed the CTL Client, you can access it from the icon automatically placed on your desktop. Initially, it will ask for the CallManager server information for the cluster, as shown in Figure 27-3.

Figure 27-3. Configuring the CTL Client

After entering the CallManager server information and successfully authenticating, you can either set the cluster security mode or update the CTL file. A Cisco CallManager cluster supports two security modes:

  • Mixed mode This mode allows secure calls between two security-enabled devices and allows nonsecure calls between devices where at least one of the devices is not security-enabled.
  • Nonsecure mode This is the default configuration, in which all calls are nonsecure.


There is no secure-only mode. This setting would prevent Cisco IP Phones without security enabled from placing calls. Many Cisco IP Phones do not support security features and would not be able to operate in a secure-only environment.

In addition to setting the cluster security mode, you use the Cisco CTL client to update the CTL file. This update is needed after adding or removing components, such as servers or security tokens. After changing the list of CTL entries, you need to sign the new CTL using a security token.

Working with Locally Significant Certificates

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions


Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329 © 2008-2020.
If you may any questions please contact us: